[PLUG] remapping port with iptables

[Keith Lofstrom]

I have a 2.6.X server with a static IP address, connected directly
to the net, and running iptables.  It does not do NAT.  I am running
an application as nobody, and want to connect to a privileged tcp port
( port number < 1023 ) so I can get there through firewalls with 
restrictions.  One way for my app to be able to reconnect to the
privileged port is to remap it to an unprivileged port > 1024 .

Lets say I want to map the external port 321 on eth0 to port 3456
where the application can grab it.  I think it is possible to do
this with NAT rules and IPTABLES.  But I am not an iptables expert,
and could use some review and some confidence building.  Who can help?

If I understand correctly, there are two actions needed: (1) a PREROUTING
rule that does "destination NAT" and rewrites packets with destination
address 321 into packets with destination address 3456.  Next, (2) a
POSTROUTING rule that does "source NAT" and rewrites packets with
source address 3456 into packets with source address 321.  Perhaps
these two rules:

iptables -t nat -A  PREROUTING -d $ETH0 -p tcp --dport  321 -j DNAT \
         --to-destination $ETH0:3456
iptables -t nat -A POSTROUTING -s $ETH0 -p tcp --sport 3456 -j SNAT \
         --to-source $ETH0:321

... along with some magic line of stuff for my iptables rules (what?)
that figures out what $ETH0 is (the ip address of eth0).

What I am not sure about is what happens when an external client connects
to another application on my server, and my server assigns a port number
to complete the connection the other way.  Is iptables smart enough to
tell the application or the kernel not to use 3456?

Any suggestions, oh iptables wise ones?

Keith

-- 
Keith Lofstrom          keithl at keithl.com         Voice (503)-520-1993
KLIC --- Keith Lofstrom Integrated Circuits --- "Your Ideas in Silicon"
Design Contracting in Bipolar and CMOS - Analog, Digital, and Scan ICs